diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 151abd1..9b31a01 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -26,6 +26,70 @@ jobs:
         shell: pwsh
         run: dotnet publish .\CPRNIMS.WebApps\CPRNIMS.WebApps.csproj -c Release -o C:\ci-output\webapps
 
+      # ---- Generate production config from Gitea Actions secrets (never committed to git) ----
+      - name: Write production appsettings - WebApi
+        shell: pwsh
+        env:
+          TAVILY_KEY: ${{ secrets.LLI_NON_INVENTORY_PROD_TAVILY_API_KEY }}
+          GROQ_KEY: ${{ secrets.LLI_NON_INVENTORY_PROD_GROQ_API_KEY }}
+          JWT_SECRET: ${{ secrets.LLI_NON_INVENTORY_PROD_JWT_SECRET }}
+          DB_CONN: ${{ secrets.LLI_NON_INVENTORY_PROD_DB_CONNECTION }}
+          LOCALPURCH_CONN: ${{ secrets.LLI_NON_INVENTORY_PROD_DB_LOCALPURCH_CONNECTION }}
+        run: |
+          $config = @{
+            Tavily = @{
+              ApiKey = $env:TAVILY_KEY
+              SearchUrl = "https://api.tavily.com/search"
+            }
+            Groq = @{
+              ApiKey = $env:GROQ_KEY
+              ApiUrl = "https://api.groq.com/openai/v1/chat/completions"
+              Model = "llama-3.1-8b-instant"
+            }
+            JWT = @{
+              ValidAudience = "https://lloydwebapi.lloydlab.com:2021"
+              ValidIssuer = "https://lloydwebapi.lloydlab.com:2021"
+              Secret = $env:JWT_SECRET
+            }
+            WebEndPoint = @{
+              ForgotPassword = "https://llipurchasingnoninventory.com:8080/"
+              SupplierForm = "https://llipurchasingnoninventory.com:8083/"
+            }
+            ConnectionStrings = @{
+              DefaultConnection = $env:DB_CONN
+              LocalPurchConn = $env:LOCALPURCH_CONN
+            }
+          }
+
+          $json = $config | ConvertTo-Json -Depth 5
+          $json | Out-File -FilePath "C:\ci-output\webapi\appsettings.Production.json" -Encoding utf8
+          Write-Host "Wrote appsettings.Production.json to webapi output (values masked in this log automatically)"
+          exit 0
+
+      # ---- Generate production config for WebApps (uses Variables, not Secrets, since BaseUrl isn't sensitive) ----
+      - name: Write production appsettings - WebApps
+        shell: pwsh
+        env:
+          API_BASE_URL: ${{ vars.LLI_NON_INVENTORY_PROD_API_BASE_URL }}
+        run: |
+          $config = @{
+            CommonEndpoints = @{
+              ApiDefaultHeaders = @{
+                BaseUrl = $env:API_BASE_URL
+                ESignaturePath = "https://llipurchasingnoninventory.com:8080/Content/Images/Signatures/"
+                ItemImages = "https://llipurchasingnoninventory.com:8080/content/images/"
+                ContentTypeMedia = "application/json"
+                Authorization = "token"
+                ErrorMessage = "api/ErrorLogs/ErrorMessage/"
+              }
+            }
+          }
+
+          $json = $config | ConvertTo-Json -Depth 5
+          $json | Out-File -FilePath "C:\ci-output\webapps\appsettings.Production.json" -Encoding utf8
+          Write-Host "Wrote appsettings.Production.json to webapps output"
+          exit 0
+
       # ---- Backup current live deployment before touching anything ----
       - name: Backup current live files
         shell: pwsh